@lenne.tech/nest-server 9.0.31 → 9.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "9.0.31",
+  "version": "9.2.0",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -60,78 +60,83 @@
     "node": ">= 16.13.0"
   },
   "dependencies": {
-    "@apollo/gateway": "2.2.3",
-    "@nestjs/apollo": "10.1.7",
-    "@nestjs/common": "9.2.1",
-    "@nestjs/core": "9.2.1",
-    "@nestjs/graphql": "10.1.7",
-    "@nestjs/jwt": "10.0.1",
+    "@apollo/gateway": "2.3.2",
+    "@nestjs/apollo": "10.2.0",
+    "@nestjs/common": "9.3.9",
+    "@nestjs/core": "9.3.9",
+    "@nestjs/graphql": "10.2.0",
+    "@nestjs/jwt": "10.0.2",
     "@nestjs/mongoose": "9.2.1",
-    "@nestjs/passport": "9.0.0",
-    "@nestjs/platform-express": "9.2.1",
-    "@nestjs/schedule": "2.1.0",
+    "@nestjs/passport": "9.0.3",
+    "@nestjs/platform-express": "9.3.9",
+    "@nestjs/schedule": "2.2.0",
     "apollo-server-core": "3.11.1",
     "apollo-server-express": "3.11.1",
     "bcrypt": "5.1.0",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.0",
+    "compression": "1.7.4",
+    "cookie-parser": "1.4.6",
     "ejs": "3.1.8",
     "graphql": "16.6.0",
+    "graphql-query-complexity": "0.12.0",
     "graphql-subscriptions": "2.0.0",
     "graphql-upload": "15.0.2",
     "js-sha256": "0.9.0",
-    "json-to-graphql-query": "2.2.4",
+    "json-to-graphql-query": "2.2.5",
     "light-my-request": "5.8.0",
     "lodash": "4.17.21",
-    "mongodb": "4.13.0",
-    "mongoose": "6.8.4",
+    "mongodb": "4.14.0",
+    "mongoose": "6.9.1",
     "mongoose-gridfs": "1.3.0",
-    "multer-gridfs-storage": "5.0.2",
     "multer": "1.4.5-lts.1",
-    "node-mailjet": "6.0.1",
-    "nodemailer": "6.9.0",
+    "multer-gridfs-storage": "5.0.2",
+    "node-mailjet": "6.0.2",
+    "nodemailer": "6.9.1",
     "nodemon": "2.0.20",
     "passport": "0.6.0",
     "passport-jwt": "4.0.1",
     "reflect-metadata": "0.1.13",
     "rfdc": "1.3.0",
-    "rimraf": "4.1.1",
+    "rimraf": "4.1.2",
     "rxjs": "7.8.0"
   },
   "devDependencies": {
-    "@nestjs/testing": "9.2.1",
+    "@nestjs/testing": "9.3.9",
+    "@types/compression": "1.7.2",
+    "@types/cookie-parser": "1.4.3",
     "@types/cron": "2.0.0",
     "@types/ejs": "3.1.1",
-    "@types/jest": "29.2.6",
+    "@types/jest": "29.4.0",
     "@types/lodash": "4.14.191",
     "@types/multer": "1.4.7",
-    "@types/node": "18.11.18",
+    "@types/node": "18.13.0",
     "@types/nodemailer": "6.4.7",
     "@types/passport": "1.0.11",
     "@types/supertest": "2.0.12",
-    "@typescript-eslint/eslint-plugin": "5.48.2",
-    "@typescript-eslint/parser": "5.48.2",
+    "@typescript-eslint/eslint-plugin": "5.52.0",
+    "@typescript-eslint/parser": "5.52.0",
     "coffeescript": "2.7.0",
-    "eslint": "8.32.0",
+    "eslint": "8.34.0",
     "eslint-config-prettier": "8.6.0",
     "find-file-up": "2.0.1",
-    "grunt": "1.5.3",
+    "grunt": "1.6.1",
     "grunt-bg-shell": "2.3.3",
     "grunt-contrib-clean": "2.0.1",
     "grunt-contrib-watch": "1.1.0",
     "grunt-sync": "0.8.2",
     "husky": "8.0.3",
-    "jest": "29.3.1",
+    "jest": "29.4.2",
     "npm-watch": "0.11.0",
     "pm2": "5.2.2",
-    "prettier": "2.8.3",
+    "prettier": "2.8.4",
     "pretty-quick": "3.1.3",
     "supertest": "6.3.3",
     "ts-jest": "29.0.5",
     "ts-morph": "17.0.1",
     "ts-node": "10.9.1",
     "tsconfig-paths": "4.1.2",
-    "typescript": "4.9.4",
+    "typescript": "4.9.5",
     "yalc": "1.0.0-pre.53"
   },
   "overrides": {

package/src/config.env.ts

@@ -12,6 +12,8 @@ const config: { [env: string]: IServerOptions } = {
   // ===========================================================================
   local: {
     automaticObjectIdFiltering: true,
+    compression: true,
+    cookies: false,
     cronJobs: {
       sayHello: {
         cronTime: CronExpression.EVERY_10_SECONDS,
@@ -52,16 +54,27 @@ const config: { [env: string]: IServerOptions } = {
         debug: true,
         introspection: true,
       },
+      maxComplexity: 20,
     },
     jwt: {
-      secret: 'SECRET_OR_PRIVATE_KEY_DEV',
+      secret: 'SECRET_OR_PRIVATE_KEY_LOCAL',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+      refresh: {
+        secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
     },
     loadLocalConfig: false,
+    logExceptions: true,
     mongoose: {
       collation: {
         locale: 'de',
       },
-      uri: 'mongodb://127.0.0.1/nest-server-dev',
+      uri: 'mongodb://127.0.0.1/nest-server-local',
     },
     port: 3000,
     sha256: true,
@@ -80,6 +93,8 @@ const config: { [env: string]: IServerOptions } = {
   // ===========================================================================
   development: {
     automaticObjectIdFiltering: true,
+    compression: true,
+    cookies: false,
     email: {
       smtp: {
         auth: {
@@ -111,11 +126,22 @@ const config: { [env: string]: IServerOptions } = {
         debug: true,
         introspection: true,
       },
+      maxComplexity: 20,
     },
     jwt: {
       secret: 'SECRET_OR_PRIVATE_KEY_DEV',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+      refresh: {
+        secret: 'SECRET_OR_PRIVATE_KEY_DEV_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
     },
     loadLocalConfig: false,
+    logExceptions: true,
     mongoose: {
       collation: {
         locale: 'de',
@@ -139,6 +165,8 @@ const config: { [env: string]: IServerOptions } = {
   // ===========================================================================
   production: {
     automaticObjectIdFiltering: true,
+    compression: true,
+    cookies: false,
     email: {
       smtp: {
         auth: {
@@ -170,11 +198,22 @@ const config: { [env: string]: IServerOptions } = {
         debug: false,
         introspection: true,
       },
+      maxComplexity: 20,
     },
     jwt: {
       secret: 'SECRET_OR_PRIVATE_KEY_PROD',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+      refresh: {
+        secret: 'SECRET_OR_PRIVATE_KEY_PROD_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
     },
     loadLocalConfig: false,
+    logExceptions: true,
     mongoose: {
       collation: {
         locale: 'de',

package/src/core/common/filters/http-exception-log.filter.ts

@@ -0,0 +1,27 @@
+import { ArgumentsHost, Catch, ContextType, ExceptionFilter, HttpException } from '@nestjs/common';
+import { Response } from 'express';
+
+@Catch(HttpException)
+export class HttpExceptionLogFilter implements ExceptionFilter {
+  /**
+   * Log exception
+   */
+  catch(exception: HttpException, host: ArgumentsHost) {
+    // Log
+    console.debug(exception.stack);
+
+    // GraphQL
+    const type = host.getType() as ContextType | 'graphql';
+    if (type === 'graphql') {
+      return exception;
+    }
+
+    // REST
+    const ctx = host.switchToHttp();
+    const res = ctx.getResponse<Response>();
+    const status = exception.getStatus();
+    res.status(status).json({
+      ...exception,
+    });
+  }
+}

package/src/core/common/helpers/db.helper.ts

@@ -6,6 +6,7 @@ import { CoreModel } from '../models/core-model.model';
 import { FieldSelection } from '../types/field-selection.type';
 import { IdsType } from '../types/ids.type';
 import { StringOrObjectId } from '../types/string-or-object-id.type';
+import { removePropertiesDeep } from './input.helper';
 
 // =====================================================================================================================
 // Export functions
@@ -350,7 +351,7 @@ export function getPopulatOptionsFromSelections(selectionNodes: readonly Selecti
     // Check for subfields
     if (node.selectionSet?.selections?.length) {
       for (const innerNode of node.selectionSet.selections as FieldNode[]) {
-        // Subfiled is a primitive
+        // Subfield is a primitive
         if (!innerNode.selectionSet?.selections?.length) {
           option.select ? option.select.push(innerNode.name.value) : (option.select = [innerNode.name.value]);
         }
@@ -477,10 +478,14 @@ export async function popAndMap<T extends CoreModel>(
   queryOrDocument: Query<any, any> | Document | Document[],
   populate: FieldSelection,
   modelClass: new (...args: any[]) => T,
-  mongooseModel?: Model<any>
+  mongooseModel?: Model<any>,
+  options?: {
+    ignoreSelections?: boolean;
+  }
 ): Promise<T | T[]> {
   let result;
   let populateOptions: PopulateOptions[] = [];
+  const ignoreSelections = options?.ignoreSelections;
   if (populate) {
     if (
       Array.isArray(populate) &&
@@ -511,13 +516,13 @@ export async function popAndMap<T extends CoreModel>(
   } else {
     // Process documents
     if (Array.isArray(queryOrDocument)) {
-      await setPopulates(queryOrDocument, populateOptions, mongooseModel);
+      await setPopulates(queryOrDocument, populateOptions, mongooseModel, { ignoreSelections });
       result = queryOrDocument.map((item) => (modelClass as any).map(item));
     }
 
     // Process document
     else {
-      await setPopulates(queryOrDocument, populateOptions, mongooseModel);
+      await setPopulates(queryOrDocument, populateOptions, mongooseModel, { ignoreSelections });
       result = (modelClass as any).map(queryOrDocument);
     }
   }
@@ -562,7 +567,8 @@ export function removeIds(source: any[], ids: StringOrObjectId | StringOrObjectI
 export async function setPopulates<T = Query<any, any> | Document>(
   queryOrDocument: T,
   populateOptions: string[] | PopulateOptions[] | (string | PopulateOptions)[],
-  mongooseModel: Model<any>
+  mongooseModel: Model<any>,
+  options?: { ignoreSelections: boolean }
 ): Promise<T> {
   // Check parameters
   if (!populateOptions?.length || !queryOrDocument) {
@@ -580,6 +586,10 @@ export async function setPopulates<T = Query<any, any> | Document>(
     });
   }
 
+  if (options?.ignoreSelections) {
+    removePropertiesDeep(populateOptions, ['select']);
+  }
+
   // Query => Chaining
   if (queryOrDocument instanceof Query) {
     for (const options of populateOptions) {

package/src/core/common/helpers/input.helper.ts

@@ -718,3 +718,52 @@ export function prepareServiceOptionsForCreate(serviceOptions: any) {
   }
   return serviceOptions;
 }
+
+/**
+ * Remove properties deep
+ */
+export function removePropertiesDeep(
+  data: any,
+  properties: string[],
+  options?: {
+    processedObjects?: WeakMap<new () => any, boolean>;
+  }
+): any {
+  // Set options
+  const { processedObjects } = {
+    processedObjects: new WeakMap(),
+    ...options,
+  };
+
+  // Check for falsifiable values
+  if (!data) {
+    return data;
+  }
+
+  // Prevent circular processing
+  else if (typeof data === 'object') {
+    if (processedObjects.get(data)) {
+      return data;
+    }
+    processedObjects.set(data, true);
+  }
+
+  // Process array
+  if (Array.isArray(data)) {
+    return data.map((item) => removePropertiesDeep(item, properties, { processedObjects }));
+  }
+
+  // Process object
+  if (typeof data === 'object') {
+    for (const prop of properties) {
+      delete data[prop];
+    }
+    for (const [key, value] of Object.entries(data)) {
+      data[key] = removePropertiesDeep(value, properties, { processedObjects });
+    }
+    return data;
+  }
+
+  // Process others
+  return data;
+}

package/src/core/common/interceptors/check-security.interceptor.ts

@@ -0,0 +1,51 @@
+import { Injectable, NestInterceptor, ExecutionContext, CallHandler } from '@nestjs/common';
+import { Observable } from 'rxjs';
+import { map } from 'rxjs/operators';
+import { AuthResolver } from '../../../server/modules/auth/auth.resolver';
+import { getContextData } from '../helpers/context.helper';
+import { processDeep } from '../helpers/input.helper';
+
+/**
+ * Verification of all outgoing data via securityCheck
+ */
+@Injectable()
+export class CheckSecurityInterceptor implements NestInterceptor {
+  intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
+    // Get current user
+    const user = getContextData(context)?.currentUser;
+
+    // Set force mode for sign in and sign up
+    let force = false;
+    if (!user) {
+      if (context.getClass() === AuthResolver) {
+        force = true;
+      }
+    }
+
+    // Check response
+    return next.handle().pipe(
+      map((data) => {
+        // Check data
+        if (data && typeof data === 'object' && typeof data.securityCheck === 'function') {
+          return data.securityCheck(user, force);
+        }
+
+        // Check if data is writeable (e.g. objects from direct access to json files via http are not writable)
+        if (data && typeof data === 'object') {
+          const writeable = !Object.keys(data).find((key) => !Object.getOwnPropertyDescriptor(data, key).writable);
+          if (!writeable) {
+            return data;
+          }
+        }
+
+        // Check deep
+        return processDeep(data, (item) => {
+          if (!item || typeof item !== 'object' || typeof item.securityCheck !== 'function') {
+            return item;
+          }
+          return item.securityCheck(user, force);
+        });
+      })
+    );
+  }
+}

package/src/core/common/interfaces/server-options.interface.ts

@@ -1,15 +1,57 @@
 import { ApolloDriverConfig } from '@nestjs/apollo';
 import { GqlModuleAsyncOptions } from '@nestjs/graphql';
 import { JwtModuleOptions } from '@nestjs/jwt';
+import { JwtSignOptions } from '@nestjs/jwt/dist/interfaces';
 import { MongooseModuleOptions } from '@nestjs/mongoose';
 import { ServeStaticOptions } from '@nestjs/platform-express/interfaces/serve-static-options.interface';
 import { CronExpression } from '@nestjs/schedule';
+import compression from 'compression';
 import { CollationOptions } from 'mongodb';
 import * as SMTPTransport from 'nodemailer/lib/smtp-transport';
 import { Falsy } from '../types/falsy.type';
 import { CronJobConfig } from './cron-job-config.interface';
 import { MailjetOptions } from './mailjet-options.interface';
 
+/**
+ * Interface for JWT configuration (main and refresh)
+ */
+export interface IJwt {
+  /**
+   * Private key
+   */
+  privateKey?: string;
+
+  /**
+   * Public key
+   */
+  publicKey?: string;
+
+  /**
+   * Secret to encrypt the JWT
+   */
+  secret?: string;
+
+  /**
+   * JWT Provider
+   * See https://github.com/mikenicholson/passport-jwt/blob/master/README.md#configure-strategy
+   */
+  secretOrKeyProvider?: (
+    request: Record<string, any>,
+    rawJwtToken: string,
+    done: (err: any, secret: string) => any
+  ) => any;
+
+  /**
+   * Alias of secret (for backwards compatibility)
+   */
+  secretOrPrivateKey?: string;
+
+  /**
+   * SignIn Options like expiresIn
+   */
+  signInOptions?: JwtSignOptions;
+}
+
 /**
  * Options for the server
  */
@@ -21,6 +63,18 @@ export interface IServerOptions {
    */
   automaticObjectIdFiltering?: boolean;
 
+  /**
+   * Whether to use the compression middleware package to enable gzip compression.
+   * See: https://docs.nestjs.com/techniques/compression
+   */
+  compression?: boolean | compression.CompressionOptions;
+
+  /**
+   * Whether to use cookies for authentication handling
+   * See: https://docs.nestjs.com/techniques/cookies
+   */
+  cookies?: boolean;
+
   /**
    * Cron jobs configuration object with the name of the cron job function as key
    * and the cron expression or config as value
@@ -105,46 +159,32 @@ export interface IServerOptions {
      */
     enableSubscriptionAuth?: boolean;
 
+    /**
+     * Maximum complexity of GraphQL requests
+     */
+    maxComplexity?: number;
+
     /**
      * Module options (forRootAsync)
      */
     options?: GqlModuleAsyncOptions;
   };
 
+  /**
+   * Ignore selections in fieldSelection
+   * [ConfigService must be integrated in ModuleService]
+   * If falsy (default): select and populate information in fieldSelection will be respected
+   * If truly: select fields will be ignored and only populate fields in fieldSelection will be respected
+   */
+  ignoreSelectionsForPopulate?: boolean;
+
   /**
    * Configuration of JavaScript Web Token (JWT) module
    */
   jwt?: {
-    /**
-     * Private key
-     */
-    privateKey?: string;
-
-    /**
-     * Public key
-     */
-    publicKey?: string;
-
-    /**
-     * Secret to encrypt the JWT
-     */
-    secret?: string;
-
-    /**
-     * JWT Provider
-     * See https://github.com/mikenicholson/passport-jwt/blob/master/README.md#configure-strategy
-     */
-    secretOrKeyProvider?: (
-      request: Record<string, any>,
-      rawJwtToken: string,
-      done: (err: any, secret: string) => any
-    ) => any;
-
-    /**
-     * Alias of secret (for backwards compatibility)
-     */
-    secretOrPrivateKey?: string;
-  } & JwtModuleOptions;
+    refresh?: IJwt;
+  } & IJwt &
+    JwtModuleOptions;
 
   /**
    * Load local configuration
@@ -154,6 +194,11 @@ export interface IServerOptions {
    */
   loadLocalConfig?: boolean | string;
 
+  /**
+   * Log exceptions (for better debugging)
+   */
+  logExceptions?: boolean;
+
   /**
    * Configuration for Mongoose
    */

package/src/core/common/interfaces/service-options.interface.ts

@@ -53,6 +53,10 @@ export interface ServiceOptions {
   processFieldSelection?: {
     model?: new (...args: any[]) => any;
     dbModel?: Model<any>;
+    // Ignore selections in fieldSelection and populate
+    // If falsy (default, if not set in env.config): select and populate information in fieldSelection and populate will be respected
+    // If truly: select fields will be ignored and only populate fields in fieldSelection and populate will be respected
+    ignoreSelections?: boolean;
   };
 
   // Prepare input configuration:

package/src/core/common/models/core-model.model.ts

@@ -125,4 +125,11 @@ export abstract class CoreModel {
     };
     return this.map(data, config);
   }
+
+  /**
+   * Verification of the user's rights to access the properties of this object
+   */
+  securityCheck(user: any, force?: boolean): this {
+    return this;
+  }
 }

package/src/core/common/plugins/complexity.plugin.ts

@@ -0,0 +1,31 @@
+import { GraphQLSchemaHost } from '@nestjs/graphql';
+import { Plugin } from '@nestjs/apollo';
+import { ApolloServerPlugin, GraphQLRequestListener } from 'apollo-server-plugin-base';
+import { GraphQLError } from 'graphql';
+import { fieldExtensionsEstimator, getComplexity, simpleEstimator } from 'graphql-query-complexity';
+import { ConfigService } from '../services/config.service';
+
+@Plugin()
+export class ComplexityPlugin implements ApolloServerPlugin {
+  constructor(private gqlSchemaHost: GraphQLSchemaHost, private configService: ConfigService) {}
+
+  async requestDidStart(): Promise<GraphQLRequestListener> {
+    const maxComplexity: number = this.configService.getFastButReadOnly('graphQl.maxComplexity');
+    const { schema } = this.gqlSchemaHost;
+
+    return {
+      async didResolveOperation({ request, document }) {
+        const complexity = getComplexity({
+          schema,
+          operationName: request.operationName,
+          query: document,
+          variables: request.variables,
+          estimators: [fieldExtensionsEstimator(), simpleEstimator({ defaultComplexity: 1 })],
+        });
+        if (maxComplexity !== undefined && complexity > maxComplexity) {
+          throw new GraphQLError(`Query is too complex: ${complexity}. Maximum allowed complexity: ${maxComplexity}`);
+        }
+      },
+    };
+  }
+}

package/src/core/common/plugins/mongoose-id.plugin.js

@@ -1,4 +1,4 @@
-module.exports = function mongooseIdPlugin(schema, options) {
+export function mongooseIdPlugin(schema, options) {
   schema.post(['find', 'findOne', 'save', 'deleteOne'], function (docs) {
     if (!Array.isArray(docs)) {
       docs = [docs];
@@ -10,4 +10,6 @@ module.exports = function mongooseIdPlugin(schema, options) {
       }
     }
   });
-};
+}
+
+module.exports = mongooseIdPlugin;

package/src/core/common/services/config.service.ts

@@ -129,28 +129,28 @@ export class ConfigService {
   /**
    * Get readable and writable deep-cloned property from configuration
    */
-  get(key: string, defaultValue: any = undefined) {
+  get<T = any>(key: string, defaultValue: any = undefined): T {
     return ConfigService.get(key, defaultValue);
   }
 
   /**
    * Get readable and writable deep-cloned property from configuration
    */
-  static get(key: string, defaultValue: any = undefined) {
+  static get<T = any>(key: string, defaultValue: any = undefined): T {
     return clone(_.get(ConfigService._configSubject$.getValue(), key, defaultValue), { circles: false });
   }
 
   /**
    * Get faster but read-ony deep-frozen property from configuration
    */
-  getFastButReadOnly(key: string, defaultValue: any = undefined) {
+  getFastButReadOnly<T = any>(key: string, defaultValue: any = undefined): T {
     return ConfigService.getFastButReadOnly(key, defaultValue);
   }
 
   /**
    * Get faster but read-ony deep-frozen property from configuration
    */
-  static getFastButReadOnly(key: string, defaultValue: any = undefined) {
+  static getFastButReadOnly<T = any>(key: string, defaultValue: any = undefined): T {
     return _.get(ConfigService._frozenConfigSubject$.getValue(), key, defaultValue);
   }